Goal: Document and review the latest Lazarus PowerRatankba.B, PowerShell installer script leading to the 64-bit keylogger version (Pakistan version).
2019-01-25: #Lazarus #DPRK #Malware Sample Spotted#PowerShell exploitation/installer script -> “shell_script” & base64-encoded “capture_x64.dll” keylogger (compilation: Sept 24, 2018) |
Upload from Pakistan 🤔
cc @KevinPerlow /@DrunkBinary pic.twitter.com/6DwNhBSKqL
— Vitali Kremez (@VK_Intel) January 25, 2019
This analysis is a continuation of the reporting on the recent Lazarus toolkits. It is notable that the latest discovered PowerRatankba.B toolkit, uploaded from Pakistan, is almost identical to the Chilean Redbanc incident with the slightly different hardcoded URI structure ending on “cgetpsa” and “cgetruna” on the same server, while the recent uploaded Lazarus PowerShell installer (and its keylogger) bears similarity to the ones shared by the Vietnamese CERT. It is possible that the Lazarus group was targeting financial institutions both in Chile and Pakistan while deploying the same command-and-control server and before in Vietnam.
Before diving deeper into the Lazarus PowerShell installation and keylogger analysis, I highly recommend reading the Norfolk Infosec blog titled “A Lazarus Keylogger- PSLogger” detailing the Lazarus older version of the similar script, installation, and the keylogger DLL component. As noted, the script and its installation do not contain the command-and-control protocol, which likely means that the group exfiltrates the screenshot and keylogger information at a later point via other means.
I have also uploaded MISP JSON and CSV associated with the Lazarus tools (Pakistan) to GitHub k-vitali/apt_lazarus_toolkits for detection and mitigation of this threat.
II. PowerShell PowerRatankba.B “REG_LOCALDATA.ps1” (Pakistan)
The latest identified PowerRatankba.B, uploaded from Pakistan, represents a reconnaissance Lazarus tool with the almost identical script and logic to the Chilean Redbanc incident (with the same server) with the exception of the URI structure and lack of the commented additional server.
III. Lazarus PowerShell Installer Script “hm.ps1” (Pakistan)
The main script setup is as follows:
B. “DoProcess” Function
Essentially, the “DoProcess” function passes the string type parameter $Target_PID and creating a file path with random characters as “C:\windows\temp\tmp[0-9A-F].ps1”.
The malware parses “shell_script”, replaces “|” for “a”, and base64 decodes and replaces “EXECUTION_BINARY” valuew with the base64 version of the keylogger 64-bit (x64) DLL version. Additinally, it replaces “PROCESSID” with argument “$Target_PID” writing to the resulting script to the tmp file and executing it via “Start-Process powershell.exe -PassThru -WindowStyle Hidden – ArgumentList -ep bypass -file C:\windows\temp\tmp[0-9A-F].ps1”.
The code itself is a PowerSploit’s PowerShell “Invoke-ReflectivePEInjection” reflectively injects a DLL into a remote process decoding the DLL base64 to binary.
The malware will force the use of address space layout randomization (ASLR) on the PE loaded even if the PE indicates it does not support ASLR. Additionally, the malware passes -FuncReturnType the return type of the function being called in the DLL; the malware passes -ProcId parameter substituting $idProcess = ‘PROCESSID’ from the main flow loop code and substituting $InputString = ‘EXECTUION_BINARY’ to the dropped Lazarus 64-bit keylogger “capture_x64.dll”.
IV. Lazarus Keylogger 64-bit (x64) “capture_x64.dll’
The keylogger malware is 64-bit with the compilation timestamp Monday, September 24 09:44:33 2018 UTC. It contains the same screenshot library, export function “Process,” same XZip library as the reported Vietnamese and Pakistani keylogger with the same setup as reported in detail by Norfolk Infosec.
V. Yara Signature: Keylogger